Post thumbnail
This talk by Alyssa Miller is fascinating and thought provoking. She frames a focus on integrating threat modeling into devops. The question of ‘what are we working on’ is answered with use cases, and threat modeling for that sprint is scoped to the use cases. ‘What can go wrong’ is focused on a business analysis…
Read More Threat Model In My DevopsThere’s an interesting and detailed blog post from Antti Vähä-Sipilä and Heli Syväoja at the F-Secure blog, Using SAFe® to align cyber security and executive goals in an agile setting. What I find most useful is the detailed and specific elements of how to bring threat modeling into the Scaled Agile Framework, in particular: Security…
Read More Threat Modeling & the SAFE Framework
Post thumbnail
I’m excited to see that they’re Re-introducing the Cyentia Research Library, with cool (new?) features like an RSS feed. There are over 1,000 corporate research reports with data that companies paid to collect, massage, and release in a way they felt would be helpful to the rest of the world. The Cyentia Library lets us…
Read More The Cyentia Library Relaunches
Post thumbnail
Juneteenth is the celebration of the end of slavery in the US. We need more holidays that celebrate freedom. Freedom isn’t always comfortable or easy, but it is the precondition to the pursuit of happiness. BTW, we’ve been celebrating Juneteenth here on this blog for a long time, if no more consistently than anything else…
Read More Happy Juneteenth!
Post thumbnail
I’m happy to announce Shostack & Associate’s new, first, corporate white paper!It uses Jenga to explain why threat modeling efforts fail so often. I’m excited for a lot of reasons. I care about learning from failure. I love games as teaching tools. But really, I’m excited because the paper has helped the people who read…
Read More The Jenga View of Threat Modeling
Post thumbnail
I want to call out some impressive aspects of a report by Proofpoint: TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware. There are many praise-worthy aspects of this report, starting from the amazing lack of hyperbole, and the focus on facts, rather than opinions. The extraordinary lack of adjectives…
Read More Threat Research: More Like This
Post thumbnail
The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness. But even more important is my belief that to reach developers Star Wars is better than Star Trek is confirmed. No bias there.
Read More Sonatype Report on DevSecOps
Post thumbnail
Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed: “Abstract: Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an approach for…
Read More Contextualisation of Data Flow Diagrams…
Post thumbnail
There’s an interesting new draft, Best Practices for IoT Security:What Does That Even Mean? It’s by Christopher Bellman and Paul C. van Oorschot. The abstract starts: “Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product…
Read More “Best Practices for IoT Security”As security professionals, have we ever sat down and truly made an effort to empirically determine what controls are actually effective in our environment and what controls do very little to protect our environment or, worse yet, actually work to undermine our security. That’s from The Need for Evidence Based Security, by Chris Frenz, is…
Read More Evidence Based Security